The data potentially exposed includes employees' Social Security numbers, driver's license numbers and bank account information, and students' academic information. The district's governing board is spending up to $7 million to notify and offer credit monitoring services to those potentially affected by mid-December 2013.

Tom Gariepy, marketing director at Maricopa Community Colleges, told the Republic that the FBI notified the district on April 29, 2013 that it had found a Web site offering data from the district's IT system for sale.

According to Gariepy, the breach wasn't disclosed for seven months because the district spent that time investigating the extent of the exposure. "There was a tremendous amount of data, and the forensics investigation around this was very complex," Gariepy said. "They had to look at a number of different systems and servers and databases. It would have been nice to say something earlier, but we couldn't give anyone information until we could say it with certainty, even if it's not conclusive."

Since then, Gariepy said, more firewalls and security procedures have been implemented, and some IT employees have faced disciplinary action. "We started immediate steps to make the system secure, and it's become progressively more secure as time has gone on," he said.